apiVersion: kubeadm.k8s.io/v1beta4
kind: InitConfiguration
{% if kubeadm_token is defined %}
bootstrapTokens:
- token: "{{ kubeadm_token }}"
  description: "kubespray kubeadm bootstrap token"
  ttl: "24h"
{% endif %}
localAPIEndpoint:
  advertiseAddress: "{{ kube_apiserver_address }}"
  bindPort: {{ kube_apiserver_port }}
{% if kubeadm_certificate_key is defined %}
certificateKey: {{ kubeadm_certificate_key }}
{% endif %}
nodeRegistration:
{% if kube_override_hostname | default('') %}
  name: "{{ kube_override_hostname }}"
{% endif %}
{% if 'kube_control_plane' in group_names and 'kube_node' not in group_names %}
  taints:
  - effect: NoSchedule
    key: node-role.kubernetes.io/control-plane
{% else %}
  taints: []
{% endif %}
  criSocket: {{ cri_socket }}
{% if cloud_provider == "external" %}
  kubeletExtraArgs:
  - name: cloud-provider
    value: external
{% endif %}
  imagePullPolicy: {{ k8s_image_pull_policy }}
  imagePullSerial: {{ kubeadm_image_pull_serial | lower }}
{% if kubeadm_patches | length > 0 %}
patches:
  directory: {{ kubeadm_patches_dir }}
{% endif %}
---
apiVersion: kubeadm.k8s.io/v1beta4
kind: ClusterConfiguration
clusterName: {{ cluster_name }}
encryptionAlgorithm: {{ kube_asymmetric_encryption_algorithm }}
certificateValidityPeriod: {{ kube_cert_validity_period }}
caCertificateValidityPeriod: {{ kube_ca_cert_validity_period }}
etcd:
{% if etcd_deployment_type != "kubeadm" %}
  external:
      endpoints:
{% for endpoint in etcd_access_addresses.split(',') %}
      - "{{ endpoint }}"
{% endfor %}
      caFile: {{ etcd_cert_dir }}/{{ kube_etcd_cacert_file }}
      certFile: {{ etcd_cert_dir }}/{{ kube_etcd_cert_file }}
      keyFile: {{ etcd_cert_dir }}/{{ kube_etcd_key_file }}
{% elif etcd_deployment_type == "kubeadm" %}
  local:
    imageRepository: "{{ etcd_image_repo | regex_replace("/etcd$","") }}"
    imageTag: "{{ etcd_image_tag }}"
    dataDir: "{{ etcd_data_dir }}"
    extraArgs:
    - name: metrics
      value: {{ etcd_metrics }}
    - name: election-timeout
      value: "{{ etcd_election_timeout }}"
    - name: heartbeat-interval
      value: "{{ etcd_heartbeat_interval }}"
    - name: auto-compaction-retention
      value: "{{ etcd_compaction_retention }}"
{% if etcd_listen_metrics_urls is defined %}
    - name: listen-metrics-urls
      value: "{{ etcd_listen_metrics_urls }}"
{% endif %}
    - name: snapshot-count
      value: "{{ etcd_snapshot_count }}"
    - name: quota-backend-bytes
      value: "{{ etcd_quota_backend_bytes }}"
    - name: max-request-bytes
      value: "{{ etcd_max_request_bytes }}"
    - name: log-level
      value: "{{ etcd_log_level }}"
{% for key, value in etcd_extra_vars.items() %}
    - name: {{ key }}
      value: "{{ value }}"
{% endfor %}
    serverCertSANs:
{% for san in etcd_cert_alt_names %}
      - "{{ san }}"
{% endfor %}
{% for san in etcd_cert_alt_ips %}
      - "{{ san }}"
{% endfor %}
    peerCertSANs:
{% for san in etcd_cert_alt_names %}
      - "{{ san }}"
{% endfor %}
{% for san in etcd_cert_alt_ips %}
      - "{{ san }}"
{% endfor %}
{% endif %}
dns:
{% if 'addon/coredns' in kubeadm_init_phases_skip  %}
  disabled: true
{% endif %}
  imageRepository: {{ coredns_image_repo | regex_replace('/coredns(?!/coredns).*$', '') }}
  imageTag: {{ coredns_image_tag }}
networking:
  dnsDomain: {{ dns_domain }}
  serviceSubnet: "{{ kube_service_subnets }}"
{% if kube_network_plugin is defined and kube_network_plugin not in ["kube-ovn"] %}
  podSubnet: "{{ kube_pods_subnets }}"
{% endif %}
{% if kubeadm_feature_gates %}
featureGates:
{%   for feature in kubeadm_feature_gates %}
  {{ feature | replace("=", ": ") }}
{%   endfor %}
{% endif %}
kubernetesVersion: v{{ kube_version }}
{% if kubeadm_config_api_fqdn is defined %}
controlPlaneEndpoint: "{{ kubeadm_config_api_fqdn }}:{{ loadbalancer_apiserver.port | default(kube_apiserver_port) }}"
{% else %}
controlPlaneEndpoint: "{{ main_ip | ansible.utils.ipwrap }}:{{ kube_apiserver_port }}"
{% endif %}
certificatesDir: {{ kube_cert_dir }}
imageRepository: {{ kubeadm_image_repo }}
apiServer:
  extraArgs:
  - name: etcd-compaction-interval
    value: "{{ kube_apiserver_etcd_compaction_interval }}"
  - name: default-not-ready-toleration-seconds
    value: "{{ kube_apiserver_pod_eviction_not_ready_timeout_seconds }}"
  - name: default-unreachable-toleration-seconds
    value: "{{ kube_apiserver_pod_eviction_unreachable_timeout_seconds }}"
{% if kube_api_anonymous_auth is defined %}
{# TODO: rework once suppport for structured auth lands #}
  - name: anonymous-auth
    value: "{{ kube_api_anonymous_auth }}"
{% endif %}
{% if kube_apiserver_use_authorization_config_file %}
  - name: authorization-config
    value: "{{ kube_config_dir }}/apiserver-authorization-config-{{ kube_apiserver_authorization_config_api_version }}.yaml"
{% else %}
  - name: authorization-mode
    value: "{{ authorization_modes | join(',') }}"
{% endif %}
  - name: bind-address
    value: "{{ kube_apiserver_bind_address }}"
{% if kube_apiserver_enable_admission_plugins | length > 0 %}
  - name: enable-admission-plugins
    value: "{{ kube_apiserver_enable_admission_plugins | join(',') }}"
{% endif %}
{% if kube_apiserver_admission_control_config_file %}
  - name: admission-control-config-file
    value: "{{ kube_config_dir }}/admission-controls.yaml"
{% endif %}
{% if kube_apiserver_disable_admission_plugins | length > 0 %}
  - name: disable-admission-plugins
    value: "{{ kube_apiserver_disable_admission_plugins | join(',') }}"
{% endif %}
  - name: apiserver-count
    value: "{{ kube_apiserver_count }}"
  - name: endpoint-reconciler-type
    value: lease
{% if etcd_events_cluster_enabled %}
  - name: etcd-servers-overrides
    value: "/events#{{ etcd_events_access_addresses_semicolon }}"
{% endif %}
  - name: service-node-port-range
    value: "{{ kube_apiserver_node_port_range }}"
  - name: service-cluster-ip-range
    value: "{{ kube_service_subnets }}"
  - name: kubelet-preferred-address-types
    value: "{{ kubelet_preferred_address_types }}"
  - name: profiling
    value: "{{ kube_profiling }}"
  - name: request-timeout
    value: "{{ kube_apiserver_request_timeout }}"
  - name: enable-aggregator-routing
    value: "{{ kube_api_aggregator_routing }}"
{% if kube_apiserver_service_account_lookup %}
  - name: service-account-lookup
    value: "{{ kube_apiserver_service_account_lookup }}"
{% endif %}
{% if kube_oidc_auth and kube_oidc_url is defined and kube_oidc_client_id is defined %}
  - name: oidc-issuer-url
    value: "{{ kube_oidc_url }}"
  - name: oidc-client-id
    value: "{{ kube_oidc_client_id }}"
{%   if kube_oidc_ca_file is defined %}
  - name: oidc-ca-file
    value: "{{ kube_oidc_ca_file }}"
{%   endif %}
{%   if kube_oidc_username_claim is defined %}
  - name: oidc-username-claim
    value: "{{ kube_oidc_username_claim }}"
{%   endif %}
{%   if kube_oidc_groups_claim is defined %}
  - name: oidc-groups-claim
    value: "{{ kube_oidc_groups_claim }}"
{%   endif %}
{%   if kube_oidc_username_prefix is defined %}
  - name: oidc-username-prefix
    value: "{{ kube_oidc_username_prefix }}"
{%   endif %}
{%   if kube_oidc_groups_prefix is defined %}
  - name: oidc-groups-prefix
    value: "{{ kube_oidc_groups_prefix }}"
{%   endif %}
{% endif %}
{% if kube_webhook_token_auth %}
  - name: authentication-token-webhook-config-file
    value: "{{ kube_config_dir }}/webhook-token-auth-config.yaml"
{% endif %}
{% if kube_webhook_authorization and not kube_apiserver_use_authorization_config_file %}
  - name: authorization-webhook-config-file
    value: "{{ kube_config_dir }}/webhook-authorization-config.yaml"
{% endif %}
{% if kube_encrypt_secret_data %}
  - name: encryption-provider-config
    value: "{{ kube_cert_dir }}/secrets_encryption.yaml"
{% endif %}
  - name: storage-backend
    value: "{{ kube_apiserver_storage_backend }}"
{% if kube_api_runtime_config | length > 0 %}
  - name: runtime-config
    value: "{{ kube_api_runtime_config | join(',') }}"
{% endif %}
  - name: allow-privileged
    value: "true"
{% if kubernetes_audit or kubernetes_audit_webhook %}
  - name: audit-policy-file
    value: "{{ audit_policy_file }}"
{% endif %}
{% if kubernetes_audit %}
  - name: audit-log-path
    value: "{{ audit_log_path }}"
  - name: audit-log-maxage
    value: "{{ audit_log_maxage }}"
  - name: audit-log-maxbackup
    value: "{{ audit_log_maxbackups }}"
  - name: audit-log-maxsize
    value: "{{ audit_log_maxsize }}"
{% endif %}
{% if kubernetes_audit_webhook %}
  - name: audit-webhook-config-file
    value: "{{ audit_webhook_config_file }}"
  - name: audit-webhook-mode
    value: "{{ audit_webhook_mode }}"
{% if audit_webhook_mode == "batch" %}
  - name: audit-webhook-batch-max-size
    value: "{{ audit_webhook_batch_max_size }}"
  - name: audit-webhook-batch-max-wait
    value: "{{ audit_webhook_batch_max_wait }}"
{% endif %}
{% endif %}
{% for key in kube_kubeadm_apiserver_extra_args %}
  - name: "{{ key }}"
    value: "{{ kube_kubeadm_apiserver_extra_args[key] }}"
{% endfor %}
{% if kube_apiserver_feature_gates or kube_feature_gates %}
  - name: feature-gates
    value: "{{ kube_apiserver_feature_gates | default(kube_feature_gates, true) | join(',') }}"
{% endif %}
{% if tls_min_version is defined %}
  - name: tls-min-version
    value: "{{ tls_min_version }}"
{% endif %}
{% if tls_cipher_suites is defined %}
  - name: tls-cipher-suites
    value: "{% for tls in tls_cipher_suites %}{{ tls }}{{ ',' if not loop.last else '' }}{% endfor %}"
{% endif %}
  - name: event-ttl
    value: "{{ event_ttl_duration }}"
{% if kubelet_rotate_server_certificates %}
  - name: kubelet-certificate-authority
    value: "{{ kube_cert_dir }}/ca.crt"
{% endif %}
{% if kube_apiserver_tracing %}
  - name: tracing-config-file
    value: "{{ kube_config_dir }}/tracing/apiserver-tracing.yaml"
{% endif %}
{% if kubernetes_audit or kube_token_auth or kube_webhook_token_auth or apiserver_extra_volumes or ssl_ca_dirs | length %}
  extraVolumes:
{% if kube_token_auth %}
  - name: token-auth-config
    hostPath: {{ kube_token_dir }}
    mountPath: {{ kube_token_dir }}
{% endif %}
{% if kube_webhook_token_auth %}
  - name: webhook-token-auth-config
    hostPath: {{ kube_config_dir }}/webhook-token-auth-config.yaml
    mountPath: {{ kube_config_dir }}/webhook-token-auth-config.yaml
{% endif %}
{% if kube_webhook_authorization %}
  - name: webhook-authorization-config
    hostPath: {{ kube_config_dir }}/webhook-authorization-config.yaml
    mountPath: {{ kube_config_dir }}/webhook-authorization-config.yaml
{% endif %}
{% if kube_apiserver_use_authorization_config_file %}
  - name: authorization-config
    hostPath: {{ kube_config_dir }}/apiserver-authorization-config-{{ kube_apiserver_authorization_config_api_version }}.yaml
    mountPath: {{ kube_config_dir }}/apiserver-authorization-config-{{ kube_apiserver_authorization_config_api_version }}.yaml
{% endif %}
{% if kubernetes_audit or kubernetes_audit_webhook %}
  - name: {{ audit_policy_name }}
    hostPath: {{ audit_policy_hostpath }}
    mountPath: {{ audit_policy_mountpath }}
{% if audit_log_path != "-" %}
  - name: {{ audit_log_name }}
    hostPath: {{ audit_log_hostpath }}
    mountPath: {{ audit_log_mountpath }}
    readOnly: false
{% endif %}
{% endif %}
{% if kube_apiserver_admission_control_config_file %}
  - name: admission-control-configs
    hostPath: {{ kube_config_dir }}/admission-controls
    mountPath: {{ kube_config_dir }}
    readOnly: false
    pathType: DirectoryOrCreate
{% endif %}
{% if kube_apiserver_tracing %}
  - name: tracing
    hostPath: {{ kube_config_dir }}/tracing
    mountPath: {{ kube_config_dir }}/tracing
    readOnly: true
    pathType: DirectoryOrCreate
{% endif %}
{% for volume in apiserver_extra_volumes %}
  - name: {{ volume.name }}
    hostPath: {{ volume.hostPath }}
    mountPath: {{ volume.mountPath }}
    readOnly: {{ volume.readOnly | d(not (volume.writable | d(false))) }}
{% endfor %}
{% if ssl_ca_dirs | length %}
{% for dir in ssl_ca_dirs %}
  - name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }}
    hostPath: {{ dir }}
    mountPath: {{ dir }}
    readOnly: true
{% endfor %}
{% endif %}
{% endif %}
  certSANs:
{% for san in apiserver_sans %}
  - "{{ san }}"
{% endfor %}
controllerManager:
  extraArgs:
  - name: node-monitor-grace-period
    value: "{{ kube_controller_node_monitor_grace_period }}"
  - name: node-monitor-period
    value: "{{ kube_controller_node_monitor_period }}"
{% if kube_network_plugin is defined and kube_network_plugin not in ["kube-ovn"] %}
  - name: cluster-cidr
    value: "{{ kube_pods_subnets }}"
{% endif %}
  - name: service-cluster-ip-range
    value: "{{ kube_service_subnets }}"
{% if kube_network_plugin is defined and kube_network_plugin == "calico" and not calico_ipam_host_local %}
  - name: allocate-node-cidrs
    value: "false"
{% else %}
{% if ipv4_stack %}
  - name: node-cidr-mask-size-ipv4
    value: "{{ kube_network_node_prefix }}"
{% endif %}
{% if ipv6_stack %}
  - name: node-cidr-mask-size-ipv6
    value: "{{ kube_network_node_prefix_ipv6 }}"
{% endif %}
{% endif %}
  - name: profiling
    value: "{{ kube_profiling }}"
  - name: terminated-pod-gc-threshold
    value: "{{ kube_controller_terminated_pod_gc_threshold }}"
  - name: bind-address
    value: "{{ kube_controller_manager_bind_address }}"
  - name: leader-elect-lease-duration
    value: "{{ kube_controller_manager_leader_elect_lease_duration }}"
  - name: leader-elect-renew-deadline
    value: "{{ kube_controller_manager_leader_elect_renew_deadline }}"
{% if kube_controller_feature_gates or kube_feature_gates %}
  - name: feature-gates
    value: "{{ kube_controller_feature_gates | default(kube_feature_gates, true) | join(',') }}"
{% endif %}
{% for key in kube_kubeadm_controller_extra_args %}
  - name: "{{ key }}"
    value: "{{ kube_kubeadm_controller_extra_args[key] }}"
{% endfor %}
{% if kube_network_plugin is defined and kube_network_plugin not in ["cloud"] %}
  - name: configure-cloud-routes
    value: "false"
{% endif %}
{% if kubelet_flexvolumes_plugins_dir is defined %}
  - name: flex-volume-plugin-dir
    value: "{{ kubelet_flexvolumes_plugins_dir }}"
{% endif %}
{% if tls_min_version is defined %}
  - name: tls-min-version
    value: "{{ tls_min_version }}"
{% endif %}
{% if tls_cipher_suites is defined %}
  - name: tls-cipher-suites
    value: "{% for tls in tls_cipher_suites %}{{ tls }}{{ ',' if not loop.last else '' }}{% endfor %}"
{% endif %}
{% if controller_manager_extra_volumes %}
  extraVolumes:
{% for volume in controller_manager_extra_volumes %}
  - name: {{ volume.name }}
    hostPath: {{ volume.hostPath }}
    mountPath: {{ volume.mountPath }}
    readOnly: {{ volume.readOnly | d(not (volume.writable | d(false))) }}
{% endfor %}
{% endif %}
scheduler:
  extraArgs:
  - name: bind-address
    value: "{{ kube_scheduler_bind_address }}"
  - name: config
    value: "{{ kube_config_dir }}/kubescheduler-config.yaml"
{% if kube_scheduler_feature_gates or kube_feature_gates %}
  - name: feature-gates
    value: "{{ kube_scheduler_feature_gates | default(kube_feature_gates, true) | join(',') }}"
{% endif %}
  - name: profiling
    value: "{{ kube_profiling }}"
{% if kube_kubeadm_scheduler_extra_args | length > 0 %}
{% for key in kube_kubeadm_scheduler_extra_args %}
  - name: "{{ key }}"
    value: "{{ kube_kubeadm_scheduler_extra_args[key] }}"
{% endfor %}
{% endif %}
{% if tls_min_version is defined %}
  - name: tls-min-version
    value: "{{ tls_min_version }}"
{% endif %}
{% if tls_cipher_suites is defined %}
  - name: tls-cipher-suites
    value: "{% for tls in tls_cipher_suites %}{{ tls }}{{ ',' if not loop.last else '' }}{% endfor %}"
{% endif %}
  extraVolumes:
  - name: kubescheduler-config
    hostPath: {{ kube_config_dir }}/kubescheduler-config.yaml
    mountPath: {{ kube_config_dir }}/kubescheduler-config.yaml
    readOnly: true
{% if scheduler_extra_volumes %}
{% for volume in scheduler_extra_volumes %}
  - name: {{ volume.name }}
    hostPath: {{ volume.hostPath }}
    mountPath: {{ volume.mountPath }}
    readOnly: {{ volume.readOnly | d(not (volume.writable | d(false))) }}
{% endfor %}
{% endif %}
---
apiVersion: kubeadm.k8s.io/v1beta4
kind: UpgradeConfiguration
apply:
  kubernetesVersion: v{{ kube_version }}
  allowExperimentalUpgrades: true
  certificateRenewal: {{ kubeadm_upgrade_auto_cert_renewal | lower }}
  etcdUpgrade: {{ (etcd_deployment_type == "kubeadm") | lower }}
  forceUpgrade: true
{% if kubeadm_ignore_preflight_errors | length > 0 %}
  ignorePreflightErrors:
{% for ignore_error in kubeadm_ignore_preflight_errors %}
  - "{{ ignore_error }}"
{% endfor %}
{% endif %}
{% if kubeadm_patches | length > 0 %}
  patches:
    directory: {{ kubeadm_patches_dir }}
{% endif %}
  imagePullPolicy: {{ k8s_image_pull_policy }}
  imagePullSerial: {{ kubeadm_image_pull_serial | lower }}
{% for skip_phase in kubeadm_init_phases_skip %}
{% if loop.first %}
  skipPhases:
{% endif %}
  - "{{ skip_phase }}"
{% endfor %}
node:
  certificateRenewal: {{ kubeadm_upgrade_auto_cert_renewal | lower }}
  etcdUpgrade: {{ (etcd_deployment_type == "kubeadm") | lower }}
{% if kubeadm_ignore_preflight_errors | length > 0 %}
  ignorePreflightErrors:
{% for ignore_error in kubeadm_ignore_preflight_errors %}
  - "{{ ignore_error }}"
{% endfor %}
{% endif %}
{% if kubeadm_patches | length > 0 %}
  patches:
    directory: {{ kubeadm_patches_dir }}
{% endif %}
  imagePullPolicy: {{ k8s_image_pull_policy }}
  imagePullSerial: {{ kubeadm_image_pull_serial | lower }}
{% for skip_phase in kubeadm_upgrade_node_phases_skip %}
{% if loop.first %}
  skipPhases:
{% endif %}
  - "{{ skip_phase }}"
{% endfor %}
---
apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
bindAddress: "{{ kube_proxy_bind_address }}"
clientConnection:
  acceptContentTypes: {{ kube_proxy_client_accept_content_types }}
  burst: {{ kube_proxy_client_burst }}
  contentType: {{ kube_proxy_client_content_type }}
  kubeconfig: {{ kube_proxy_client_kubeconfig }}
  qps: {{ kube_proxy_client_qps }}
{% if kube_network_plugin is defined and kube_network_plugin not in ["kube-ovn"] %}
clusterCIDR: "{{ kube_pods_subnets }}"
{% endif %}
configSyncPeriod: {{ kube_proxy_config_sync_period }}
conntrack:
  maxPerCore: {{ kube_proxy_conntrack_max_per_core }}
  min: {{ kube_proxy_conntrack_min }}
  tcpCloseWaitTimeout: {{ kube_proxy_conntrack_tcp_close_wait_timeout }}
  tcpEstablishedTimeout: {{ kube_proxy_conntrack_tcp_established_timeout }}
enableProfiling: {{ kube_proxy_enable_profiling }}
healthzBindAddress: "{{ kube_proxy_healthz_bind_address }}"
hostnameOverride: "{{ kube_override_hostname }}"
iptables:
  masqueradeAll: {{ kube_proxy_masquerade_all }}
  masqueradeBit: {{ kube_proxy_masquerade_bit }}
  minSyncPeriod: {{ kube_proxy_min_sync_period }}
  syncPeriod: {{ kube_proxy_sync_period }}
ipvs:
  excludeCIDRs: {{ kube_proxy_exclude_cidrs }}
  minSyncPeriod: {{ kube_proxy_min_sync_period }}
  scheduler: {{ kube_proxy_scheduler }}
  syncPeriod: {{ kube_proxy_sync_period }}
  strictARP: {{ kube_proxy_strict_arp }}
  tcpTimeout: {{ kube_proxy_tcp_timeout }}
  tcpFinTimeout: {{ kube_proxy_tcp_fin_timeout }}
  udpTimeout: {{ kube_proxy_udp_timeout }}
metricsBindAddress: "{{ kube_proxy_metrics_bind_address }}"
mode: {{ kube_proxy_mode }}
nodePortAddresses: {{ kube_proxy_nodeport_addresses }}
oomScoreAdj: {{ kube_proxy_oom_score_adj }}
portRange: {{ kube_proxy_port_range }}
{% if kube_proxy_feature_gates or kube_feature_gates %}
{% set feature_gates = ( kube_proxy_feature_gates | default(kube_feature_gates, true) ) %}
featureGates:
{%   for feature in feature_gates %}
  {{ feature | replace("=", ": ") }}
{%   endfor %}
{% endif %}
{# DNS settings for kubelet #}
{% if enable_nodelocaldns %}
{% set kubelet_cluster_dns = [nodelocaldns_ip] %}
{% elif dns_mode in ['coredns'] %}
{% set kubelet_cluster_dns = [skydns_server] %}
{% elif dns_mode == 'coredns_dual' %}
{% set kubelet_cluster_dns = [skydns_server,skydns_server_secondary] %}
{% elif dns_mode == 'manual' %}
{% set kubelet_cluster_dns = [manual_dns_server] %}
{% else %}
{% set kubelet_cluster_dns = [] %}
{% endif %}
---
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
clusterDNS:
{% for dns_address in kubelet_cluster_dns %}
- {{ dns_address }}
{% endfor %}
{% if kubelet_feature_gates or kube_feature_gates %}
{% set feature_gates = ( kubelet_feature_gates | default(kube_feature_gates, true) ) %}
featureGates:
{%   for feature in feature_gates %}
  {{ feature | replace("=", ": ") }}
{%   endfor %}
{% endif %}
